Support LDAP method start_tls

config/config.exs

@@ -361,6 +361,8 @@
   port: String.to_integer(System.get_env("LDAP_PORT") || "389"),
   ssl: System.get_env("LDAP_SSL") == "true",
   sslopts: [],
+  tls: System.get_env("LDAP_TLS") == "true",
+  tlsopts: [],
   base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
   uid: System.get_env("LDAP_UID") || "cn"
 

docs/config.md

@@ -329,13 +329,21 @@ config :auto_linker,
 
 ## :ldap
 
+Use LDAP for user authentication.  When a user logs in to the Pleroma
+instance, the name and password will be verified by trying to authenticate
+(bind) to an LDAP server.  If a user exists in the LDAP directory but there
+is no account with the same name yet on the Pleroma instance then a new
+Pleroma account will be created with the same name as the LDAP user name.
+
 * `enabled`: enables LDAP authentication
 * `host`: LDAP server hostname
 * `port`: LDAP port, e.g. 389 or 636
-* `ssl`: true to use SSL
+* `ssl`: true to use SSL, usually implies the port 636
 * `sslopts`: additional SSL options
+* `tls`: true to start TLS, usually implies the port 389
+* `tlsopts`: additional TLS options
 * `base`: LDAP base, e.g. "dc=example,dc=com"
-* `uid`: attribute type to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
+* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
 
 ## Pleroma.Web.Auth.Authenticator
 

lib/pleroma/web/auth/ldap_authenticator.ex

@@ -60,6 +60,34 @@ defp ldap_user(name, password) do
     case :eldap.open([to_charlist(host)], options) do
       {:ok, connection} ->
         try do
+          if Keyword.get(ldap, :tls, false) do
+            :application.ensure_all_started(:ssl)
+
+            case :eldap.start_tls(
+                   connection,
+                   Keyword.get(ldap, :tlsopts, []),
+                   @connection_timeout
+                 ) do
+              :ok ->
+                :ok
+
+              error ->
+                Logger.error("Could not start TLS: #{inspect(error)}")
+            end
+          end
+
+          bind_user(connection, ldap, name, password)
+        after
+          :eldap.close(connection)
+        end
+
+      {:error, error} ->
+        Logger.error("Could not open LDAP connection: #{inspect(error)}")
+        {:error, {:ldap_connection_error, error}}
+    end
+  end
+
+  defp bind_user(connection, ldap, name, password) do
     uid = Keyword.get(ldap, :uid, "cn")
     base = Keyword.get(ldap, :base)
 
@@ -76,14 +104,6 @@ defp ldap_user(name, password) do
       error ->
         error
     end
-        after
-          :eldap.close(connection)
-        end
-
-      {:error, error} ->
-        Logger.error("Could not open LDAP connection: #{inspect(error)}")
-        {:error, {:ldap_connection_error, error}}
-    end
   end
 
   defp register_user(connection, base, uid, name, password) do
@@ -91,6 +111,7 @@ defp register_user(connection, base, uid, name, password) do
            {:base, to_charlist(base)},
            {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
            {:scope, :eldap.wholeSubtree()},
+           {:attributes, ['mail', 'email']},
            {:timeout, @search_timeout}
          ]) do
       {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} ->
@@ -110,7 +131,9 @@ defp register_user(connection, base, uid, name, password) do
             error -> error
           end
         else
-          _ -> {:error, :ldap_registration_missing_attributes}
+          _ ->
+            Logger.error("Could not find LDAP attribute mail: #{inspect(attributes)}")
+            {:error, :ldap_registration_missing_attributes}
         end
 
       error ->